How to recognise a Docker container by its MAC address

Summary

#

Range or Prefix

Vendor

Virtual Machine

1

02:42

Docker

Docker container

Detection Rule 1

Affects products: Docker container

Signature: The first two octets are = '02:42'

Conditions

According to the v1.7 documentation, all the Docker containers have the same prefix in their MAC addresses – '02:42:' if generated automatically. The remaining 4 octets of the MAC address is a container's IPv4 address printed in hex. For example, '02:42:ac:11:00:02' is for the '172.17.0.0/16' subnetwork.

Information about this rule has been removed from the recent version documentation, but it remains valid.

Here's the source code of the MAC address generator used in Docker v18.09:

func genMAC(ip net.IP) net.HardwareAddr {
hw := make(net.HardwareAddr, 6)
// The first byte of the MAC address has to comply with these rules:
// 1. Unicast: Set the least-significant bit to 0.
// 2. Address is locally administered: Set the second-least-significant bit (U/L) to 1.
hw[0] = 0x02
// The first 24 bits of the MAC represent the Organizationally Unique Identifier (OUI).
// Since this address is locally administered, we can do whatever we want as long as
// it doesn't conflict with other addresses.
hw[1] = 0x42
// Fill the remaining 4 bytes based on the input
if ip == nil {
rand.Read(hw[2:])
} else {
copy(hw[2:], ip.To4())
}
return hw
}

Still, the administrator can specify any custom MAC address for the container by using the '--mac-address=MACADDRESS' option. Docker does not check if manually specified MAC addresses are unique.

More questions

Have questions?

We work hard to improve our services for you. As part of that process we welcome your feedback, questions
and suggestions. Please let us know your thoughts and feelings, and any way in which you think we can
improve our product.